Malicious PDF — malware analysis report

Static analysis result for SHA-256 80a00c6b5c69974d…

MALICIOUS

PDF

71.4 KB Authoring application: GIMP
MD5: 224e0b9f2d26a40f449222075d198ce1 SHA-1: 5c7ea8e478fc26a5cb65278c16c94a9256598fe9 SHA-256: 80a00c6b5c69974d75331a5cf73d83736bd39342a42967840ac89c24059ff7ee
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded URLs are likely used to redirect users to malicious content or phishing pages. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sacredcirclecounseling.com/uploads/1/3/0/6/130621032/240486.pdf
    • http://pronovaprojects.com/uploads/1/3/0/5/130550901/mosozizakerugiv-buraki.pdf
    • http://viverofloresdelperu.com/uploads/1/3/0/4/130476372/7959374.pdf
    • http://sugarheal.com/uploads/1/3/0/5/130589250/9989939.pdf
    • http://nataliashand.com/uploads/1/3/0/6/130621165/4102823.pdf
    • http://annickanyc.com/uploads/1/3/0/2/130288731/2368008.pdf
    • http://rebeccalaplacaattia.com/uploads/1/3/0/4/130478935/130478935.html#medu+neter+language

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000134e.bin
bd8c16bb7a84ff405f2f2355f9955fa45e1af37e7ece73cfb12d4c6933092b36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134E 10520 bytes
font_01_sfnt_off0000bd7b.bin
63112e7e1c3d771195690601e854a515994f49987439a175ca1e9ca3021d969e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD7B 6220 bytes
font_02_sfnt_off0000cf90.bin
59cc8a76bec3a94f7a32447035be7808551f3ed77b30a2cb6757be9e8a44c412		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF90 16960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.